Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,000 --> 00:00:07,200 Welcome on this lesson we'll be using a ransomware, please do this practice in your windows virtual machine 2 00:00:08,900 --> 00:00:17,233 File type. File type identification is essential to identify the malware's target operating system and its architecture. 3 00:00:18,700 --> 00:00:23,333 Windows executables files are PE format. 4 00:00:24,833 --> 00:00:31,833 On this lesson we are going to learn how to identify the file under analysis 5 00:00:32,100 --> 00:00:38,233 first we start our Windows virtual machine 6 00:00:40,766 --> 00:00:49,732 Before start I must warn you we are using the malware sample Rams1 which is a type of ransomware, we already talk about precautions 7 00:00:49,733 --> 00:00:53,733 in section “Before start any lab” 8 00:00:57,200 --> 00:01:05,500 First we start peStudio tool, run it as administrator and load Rams1 dot exe. 9 00:01:16,200 --> 00:01:20,200 here it is, and there we go 10 00:01:26,733 --> 00:01:34,966 You can see among many other information this file turns out to be a 32 bits file, 11 00:01:36,433 --> 00:01:43,133 Now let me point out something, as a rule of thumb you should never trust only one tool, 12 00:01:43,133 --> 00:01:53,033 then we are opening this also in CFF explorer, Once you have it installed just clic right on the executable and you’ll see the option 13 00:01:58,900 --> 00:02:01,433 there we go 14 00:02:02,000 --> 00:02:13,433 We can confirm, this is a 32 bits file and its signature is .net, it means was compiled in microsoft visual studio .net. 15 00:02:13,433 --> 00:02:18,499 These two tools give us a lot of info, feel free to explore them. 16 00:02:19,500 --> 00:02:27,600 Now we’ll scan our binary online using this trYd tool, you have the link in your resource section. 17 00:02:27,800 --> 00:02:30,800 lets upload our binary 18 00:02:40,000 --> 00:02:43,000 and press start 19 00:02:45,766 --> 00:02:54,466 What this tool Is telling us is that is 79% percent sure this file is a .net assembly 20 00:02:54,466 --> 00:03:00,099 Maybe you’re wondering why bother to scan the binary on several tools. 21 00:03:00,100 --> 00:03:07,333 Well believe me sometimes the results are contradictory then is worth to try a few tools. 22 00:03:08,733 --> 00:03:14,099 Ok lets continue, now open rams1 in cff explorer 23 00:03:14,100 --> 00:03:22,366 And I am going to teach you how to identify the file type manually using the information in the portable structure. 24 00:03:22,366 --> 00:03:31,132 You may have noticed that peStudio and cff explorer tools are getting info from our binary portable structure. 25 00:03:31,133 --> 00:03:41,233 We’ll find many useful information here and we’ll dig in on this along the course, so don’t worry If you don’t understand this now 26 00:03:41,233 --> 00:03:50,466 We select address converter and what we have here is Rams1 binary hexadecimal dump, 27 00:03:50,466 --> 00:04:00,899 there is no way to falsify the hex dump, If you remember our lesson about Portable Structure you’ll recognize this 4d 5a, 28 00:04:00,900 --> 00:04:06,100 this unequivocally id this file as a windows file 29 00:04:06,100 --> 00:04:10,100 And what about the architecture? 30 00:04:10,100 --> 00:04:19,366 Well we must locate the line with PE on it and look for this 4c 01, What this means? 31 00:04:19,366 --> 00:04:23,366 Let me show you in this great online converter 32 00:04:29,533 --> 00:04:40,333 Lets put here 4c01, analyze data and look for something call little endian which is the notation our hex dump use, 33 00:04:40,333 --> 00:04:44,333 and we found it translates 14c. 34 00:04:44,500 --> 00:04:53,266 Now lets visit the oficial portable structure microsoft site to find out what means 14c 35 00:04:53,866 --> 00:05:00,732 and is equivalent to i386 proccessor you may know this means 32 bits. 36 00:05:00,733 --> 00:05:07,566 Then now we are 100 percent sure this binary is 32/86 bits. 37 00:05:10,200 --> 00:05:24,266 Now how do you know if this file is 64 bits, well easy if you don’t see here this 4c 01, well then this file is 64 bits, that's it. 38 00:05:24,266 --> 00:05:28,732 Please join me to fingerprint this file in the next lesson 4545